In the modern day, our internet security is at the forefront of our requirements, whether it be on a smartphone, computer or website.
Keeping your websites safe and secure requires multiple actions, and one of the most important is to implement HTTPS - also known as an SSL certificate.
What is HTTPS?
As you have used the internet before to browse your favourite websites (like this one!), you have probably noticed "http" appended to the start of a website address. HTTP stands for "Hypertext Transfer Protocol" - HTTPS is the same phrase but suffixed with an S which stands for - you guessed it - "secure".
HTTPS is the form of encryption that keeps your credit or debit card data and passwords secure every time you enter them on a website. On a regular HTTP website, that data can be intercepted, spied on and even altered by anyone between you and the site’s server - this could be someone on the shared Wi-Fi network as you (such as in coffee shops), someone from your internet service provider or government organisations such as the NSA which has garnered a lot of media attention in the US for topics just like this.
When you visit a regular HTTP website, the server responds to requests from your internet browser and then hands over the website’s unencrypted data. When visiting a HTTPS website, your browser and the server first perform an exchange of cryptographic keys. Those keys allow the server and browser to send messages only the other one can decrypt, locking out all eavesdroppers.
Peter Eckersley, a technologist with the Electronic Frontier Foundation, used former senator Ted Stevens’ internet analogy to describe the difference between HTTP and HTTPS:
We all know the adage that the Internet is like a series of tubes. If you use HTTP, those tubes are totally transparent. Anyone along the way can look inside and see exactly what you’re doing. Switch to HTTPS, on the other hand, and those tubes become opaque. Only people at the end can see what’s traveling through them.
HTTPS is not new
While it has gained lots of popularity over the last 12 months, HTTPS/SSL certificates are not a new concept. HTTPS first made an appearance way back in 1994 on the Netscape Navigator web browser! However, while HTTPS once was used almost solely to protect e-commerce (online shopping) websites and websites that required a user to login with potentially sensitive information, website administrators around the globee are increasingly rolling out HTTPS to all types of websites, whether it be a large corporate website or even a personal blog.
In 2017, approximately 50% of web visits are to websites that use HTTPS, up from less than 38% in the summer of 2015, according to Mozilla. That increase is due to a growing recognition that HTTPS offers far more than just security for your sensitive data, says the EFF’s Eckersley. It also protects what he described as “the right to read in private.”
HTTPS is on the rise (again)
A report from Google at the end of 2016 showed that 79 of the 100 most highly trafficked websites on the internet still do not yet use HTTPS encryption. Not only this, but according to Mozilla only 438,000 of the Alexa top 1 million sites offer HTTPS.
Most users still don’t know about HTTPS, and even if they do, they don’t have any control over it. They have to either transmit their data in the clear or go somewhere else,”says Aas. “If we’re going to protect those people, we need to get websites to adopt HTTPS…It’s really a lynchpin in the internet’s security right now.
Trust is implemented on the user
HTTPS protects more than just your confidentiality. HTTPS offers authentication, verification and what website administrators call “integrity.” For a website to register in a browser as HTTPS encrypted (marked with a padlock in the browser’s address bar), it needs to authenticate itself to prove that it’s the site it says it is. To do that, a website’s administrator asks a “certificate authority” organisation such as Comodo or Symantec to issue the site a certificate, a cryptographic key that can’t be forged. A certificate means that when your browser says you’re at https://www.cosmic.org.uk, you really are sharing your data with a Cosmic server and no-one else.
What can I do now?
If you don't already have HTTPS implemented, you can contact your website hosting provider and ask them about the possibility of having an SSL certificate implemented on your website - in most cases there will be a cost to this and it will vary depending on the provider and the level of certificate you purchase.
If you'd like to know more, contact the Cosmic team on info@cosmic.org.uk or phone 0330 088 3005.